Improper access control in P2P SDK - CVE-2021-28372
Published: August 18, 2021 / Updated: August 18, 2021
Vulnerability identifier: #VU55929
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-28372
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
P2P SDK
P2P SDK
Software vendor:
ThroughTek
ThroughTek
Description
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions to gain access to sensitive information (such as camera feeds) and execute arbitrary code on the system.
This vulnerability affects the following versions of P2P Software Development Kit (SDK):
- SDK versions with the nossl tag
- Device firmware that does not use AuthKey for IOTC connection
- Device firmware using the AVAPI module without enabling DTLS mechanism
- Device firmware using P2PTunnel or RDT module
Remediation
Install updates from vendor's website.
External links
- https://www.fireeye.com/blog/threat-research/2021/08/mandiant-discloses-critical-vulnerability-affecting-iot-devices.html
- https://github.com/fireeye/Vulnerability-Disclosures/blob/master/FEYE-2021-0020/FEYE-2021-0020.md
- https://www.throughtek.com/about-throughteks-kalay-platform-security-mechanism/
- https://us-cert.cisa.gov/ics/advisories/icsa-21-229-01